diff options
Diffstat (limited to 'usr.sbin/pppd/auth.c')
| -rw-r--r-- | usr.sbin/pppd/auth.c | 732 |
1 files changed, 573 insertions, 159 deletions
diff --git a/usr.sbin/pppd/auth.c b/usr.sbin/pppd/auth.c index 5e696a2..6a63893 100644 --- a/usr.sbin/pppd/auth.c +++ b/usr.sbin/pppd/auth.c @@ -33,7 +33,7 @@ */ #ifndef lint -static char rcsid[] = "$Id: auth.c,v 1.15 1997/04/16 02:07:06 danny Exp $"; +static char rcsid[] = "$Id$"; #endif #include <stdio.h> @@ -45,6 +45,7 @@ static char rcsid[] = "$Id: auth.c,v 1.15 1997/04/16 02:07:06 danny Exp $"; #include <string.h> #include <sys/types.h> #include <sys/stat.h> +#include <sys/socket.h> #include <netdb.h> #include <netinet/in.h> @@ -52,9 +53,16 @@ static char rcsid[] = "$Id: auth.c,v 1.15 1997/04/16 02:07:06 danny Exp $"; #include <sys/time.h> #include <utmp.h> +#ifdef USE_PAM +#include <security/pam_appl.h> +#include <security/pam_modules.h> +#endif + #ifdef HAS_SHADOW #include <shadow.h> +#ifndef SVR4 #include <shadow/pwauth.h> +#endif #ifndef PW_PPP #define PW_PPP PW_LOGIN #endif @@ -63,16 +71,14 @@ static char rcsid[] = "$Id: auth.c,v 1.15 1997/04/16 02:07:06 danny Exp $"; #include "pppd.h" #include "fsm.h" #include "lcp.h" +#include "ipcp.h" #include "upap.h" #include "chap.h" -#include "ipcp.h" -#include "ccp.h" +#ifdef CBCP_SUPPORT +#include "cbcp.h" +#endif #include "pathnames.h" -#if defined(sun) && defined(sparc) -#include <alloca.h> -#endif /*sparc*/ - /* Used for storing a sequence of words. Usually malloced. */ struct wordlist { struct wordlist *next; @@ -88,32 +94,58 @@ struct wordlist { #define FALSE 0 #define TRUE 1 +/* The name by which the peer authenticated itself to us. */ +char peer_authname[MAXNAMELEN]; + /* Records which authentication operations haven't completed yet. */ static int auth_pending[NUM_PPP]; + +/* Set if we have successfully called login() */ static int logged_in; -static int non_wildclient =0; /* not wild nor blank */ + +/* Set if we have run the /etc/ppp/auth-up script. */ +static int did_authup; + +/* List of addresses which the peer may use. */ static struct wordlist *addresses[NUM_PPP]; +/* Number of network protocols which we have opened. */ +static int num_np_open; + +/* Number of network protocols which have come up. */ +static int num_np_up; + +/* Set if we got the contents of passwd[] from the pap-secrets file. */ +static int passwd_from_file; + /* Bits in auth_pending[] */ -#define UPAP_WITHPEER 1 -#define UPAP_PEER 2 +#define PAP_WITHPEER 1 +#define PAP_PEER 2 #define CHAP_WITHPEER 4 #define CHAP_PEER 8 -/* Prototypes */ -void check_access __P((FILE *, char *)); +extern char *crypt __P((const char *, const char *)); + +/* Prototypes for procedures local to this file. */ static void network_phase __P((int)); +static void check_idle __P((void *)); +static void connect_time_expired __P((void *)); static int ppplogin __P((char *, char *, char **, int *)); static void ppplogout __P((void)); static int null_login __P((int)); -static int get_upap_passwd __P((void)); -static int have_upap_secret __P((void)); -static int have_chap_secret __P((char *, char *)); -static int scan_authfile __P((FILE *, char *, char *, char *, - struct wordlist **, char *)); +static int get_pap_passwd __P((char *)); +static int have_pap_secret __P((void)); +static int have_chap_secret __P((char *, char *, u_int32_t)); +static int ip_addr_check __P((u_int32_t, struct wordlist *)); +static int scan_authfile __P((FILE *, char *, char *, u_int32_t, char *, + struct wordlist **, char *)); static void free_wordlist __P((struct wordlist *)); -static void auth_set_ip_addr __P((int)); +static void auth_script __P((char *)); +static void set_allowed_addrs __P((int, struct wordlist *)); +#ifdef CBCP_SUPPORT +static void callback_phase __P((int)); +#endif /* * An Open on LCP has requested a change from Dead to Establish phase. @@ -154,9 +186,25 @@ void link_down(unit) int unit; { - ipcp_close(0); - ccp_close(0); - phase = PHASE_TERMINATE; + int i; + struct protent *protp; + + if (did_authup) { + auth_script(_PATH_AUTHDOWN); + did_authup = 0; + } + for (i = 0; (protp = protocols[i]) != NULL; ++i) { + if (!protp->enabled_flag) + continue; + if (protp->protocol != PPP_LCP && protp->lowerdown != NULL) + (*protp->lowerdown)(unit); + if (protp->protocol < 0xC000 && protp->close != NULL) + (*protp->close)(unit, "LCP down"); + } + num_np_open = 0; + num_np_up = 0; + if (phase != PHASE_DEAD) + phase = PHASE_TERMINATE; } /* @@ -171,6 +219,16 @@ link_established(unit) lcp_options *wo = &lcp_wantoptions[unit]; lcp_options *go = &lcp_gotoptions[unit]; lcp_options *ho = &lcp_hisoptions[unit]; + int i; + struct protent *protp; + + /* + * Tell higher-level protocols that LCP is up. + */ + for (i = 0; (protp = protocols[i]) != NULL; ++i) + if (protp->protocol != PPP_LCP && protp->enabled_flag + && protp->lowerup != NULL) + (*protp->lowerup)(unit); if (auth_required && !(go->neg_chap || go->neg_upap)) { /* @@ -180,8 +238,7 @@ link_established(unit) */ if (!wo->neg_upap || !null_login(unit)) { syslog(LOG_WARNING, "peer refused to authenticate"); - lcp_close(unit); - phase = PHASE_TERMINATE; + lcp_close(unit, "peer refused to authenticate"); return; } } @@ -193,14 +250,19 @@ link_established(unit) auth |= CHAP_PEER; } else if (go->neg_upap) { upap_authpeer(unit); - auth |= UPAP_PEER; + auth |= PAP_PEER; } if (ho->neg_chap) { - ChapAuthWithPeer(unit, our_name, ho->chap_mdtype); + ChapAuthWithPeer(unit, user, ho->chap_mdtype); auth |= CHAP_WITHPEER; } else if (ho->neg_upap) { + if (passwd[0] == 0) { + passwd_from_file = 1; + if (!get_pap_passwd(passwd)) + syslog(LOG_ERR, "No secret found for PAP login"); + } upap_authwithpeer(unit, user, passwd); - auth |= UPAP_WITHPEER; + auth |= PAP_WITHPEER; } auth_pending[unit] = auth; @@ -215,9 +277,41 @@ static void network_phase(unit) int unit; { + int i; + struct protent *protp; + lcp_options *go = &lcp_gotoptions[unit]; + + /* + * If the peer had to authenticate, run the auth-up script now. + */ + if ((go->neg_chap || go->neg_upap) && !did_authup) { + auth_script(_PATH_AUTHUP); + did_authup = 1; + } + +#ifdef CBCP_SUPPORT + /* + * If we negotiated callback, do it now. + */ + if (go->neg_cbcp) { + phase = PHASE_CALLBACK; + (*cbcp_protent.open)(unit); + return; + } +#endif + phase = PHASE_NETWORK; - ipcp_open(unit); - ccp_open(unit); +#if 0 + if (!demand) + set_filters(&pass_filter, &active_filter); +#endif + for (i = 0; (protp = protocols[i]) != NULL; ++i) + if (protp->protocol < 0xC000 && protp->enabled_flag + && protp->open != NULL) { + (*protp->open)(unit); + if (protp->protocol != PPP_CCP) + ++num_np_open; + } } /* @@ -230,16 +324,17 @@ auth_peer_fail(unit, protocol) /* * Authentication failure: take the link down */ - lcp_close(unit); - phase = PHASE_TERMINATE; + lcp_close(unit, "Authentication failed"); } /* * The peer has been successfully authenticated using `protocol'. */ void -auth_peer_success(unit, protocol) +auth_peer_success(unit, protocol, name, namelen) int unit, protocol; + char *name; + int namelen; { int bit; @@ -248,7 +343,7 @@ auth_peer_success(unit, protocol) bit = CHAP_PEER; break; case PPP_PAP: - bit = UPAP_PEER; + bit = PAP_PEER; break; default: syslog(LOG_WARNING, "auth_peer_success: unknown protocol %x", @@ -257,20 +352,19 @@ auth_peer_success(unit, protocol) } /* - * If we have overridden addresses based on auth info - * then set that information now before continuing + * Save the authenticated name of the peer for later. */ - auth_set_ip_addr(unit); + if (namelen > sizeof(peer_authname) - 1) + namelen = sizeof(peer_authname) - 1; + BCOPY(name, peer_authname, namelen); + peer_authname[namelen] = 0; /* * If there is no more authentication still to be done, - * proceed to the network phase. + * proceed to the network (or callback) phase. */ - if ((auth_pending[unit] &= ~bit) == 0) { - phase = PHASE_NETWORK; - ipcp_open(unit); - ccp_open(unit); - } + if ((auth_pending[unit] &= ~bit) == 0) + network_phase(unit); } /* @@ -280,6 +374,8 @@ void auth_withpeer_fail(unit, protocol) int unit, protocol; { + if (passwd_from_file) + BZERO(passwd, MAXSECRETLEN); /* * We've failed to authenticate ourselves to our peer. * He'll probably take the link down, and there's not much @@ -301,7 +397,9 @@ auth_withpeer_success(unit, protocol) bit = CHAP_WITHPEER; break; case PPP_PAP: - bit = UPAP_WITHPEER; + if (passwd_from_file) + BZERO(passwd, MAXSECRETLEN); + bit = PAP_WITHPEER; break; default: syslog(LOG_WARNING, "auth_peer_success: unknown protocol %x", @@ -310,14 +408,8 @@ auth_withpeer_success(unit, protocol) } /* - * If we have overridden addresses based on auth info - * then set that information now before continuing - */ - auth_set_ip_addr(unit); - - /* * If there is no more authentication still being done, - * proceed to the network phase. + * proceed to the network (or callback) phase. */ if ((auth_pending[unit] &= ~bit) == 0) network_phase(unit); @@ -325,13 +417,95 @@ auth_withpeer_success(unit, protocol) /* - * check_auth_options - called to check authentication options. + * np_up - a network protocol has come up. + */ +void +np_up(unit, proto) + int unit, proto; +{ + if (num_np_up == 0 && idle_time_limit > 0) { + TIMEOUT(check_idle, NULL, idle_time_limit); + + /* + * Set a timeout to close the connection once the maximum + * connect time has expired. + */ + if (maxconnect > 0) + TIMEOUT(connect_time_expired, 0, maxconnect); + } + ++num_np_up; +} + +/* + * np_down - a network protocol has gone down. + */ +void +np_down(unit, proto) + int unit, proto; +{ + if (--num_np_up == 0 && idle_time_limit > 0) { + UNTIMEOUT(check_idle, NULL); + } +} + +/* + * np_finished - a network protocol has finished using the link. + */ +void +np_finished(unit, proto) + int unit, proto; +{ + if (--num_np_open <= 0) { + /* no further use for the link: shut up shop. */ + lcp_close(0, "No network protocols running"); + } +} + +/* + * check_idle - check whether the link has been idle for long + * enough that we can shut it down. + */ +static void +check_idle(arg) + void *arg; +{ + struct ppp_idle idle; + time_t itime; + + if (!get_idle_time(0, &idle)) + return; + itime = MIN(idle.xmit_idle, idle.recv_idle); + if (itime >= idle_time_limit) { + /* link is idle: shut it down. */ + syslog(LOG_INFO, "Terminating connection due to lack of activity."); + need_holdoff = 0; + lcp_close(0, "Link inactive"); + } else { + TIMEOUT(check_idle, NULL, idle_time_limit - itime); + } +} + +/* + * connect_time_expired - log a message and close the connection. + */ +static void +connect_time_expired(arg) + void *arg; +{ + syslog(LOG_INFO, "Connect time expired"); + lcp_close(0, "Connect time expired"); /* Close connection */ +} + +/* + * auth_check_options - called to check authentication options. */ void -check_auth_options() +auth_check_options() { lcp_options *wo = &lcp_wantoptions[0]; - lcp_options *ao = &lcp_allowoptions[0]; + int can_auth; + ipcp_options *ipwo = &ipcp_wantoptions[0]; + u_int32_t remote; /* Default our_name to hostname, and user to our_name */ if (our_name[0] == 0 || usehostname) @@ -347,23 +521,69 @@ check_auth_options() /* * Check whether we have appropriate secrets to use - * to authenticate ourselves and/or the peer. + * to authenticate the peer. */ - if (ao->neg_upap && passwd[0] == 0 && !get_upap_passwd()) - ao->neg_upap = 0; - if (wo->neg_upap && !uselogin && !have_upap_secret()) - wo->neg_upap = 0; - if (ao->neg_chap && !have_chap_secret(our_name, remote_name)) - ao->neg_chap = 0; - if (wo->neg_chap && !have_chap_secret(remote_name, our_name)) - wo->neg_chap = 0; + can_auth = wo->neg_upap && (uselogin || have_pap_secret()); + if (!can_auth && wo->neg_chap) { + remote = ipwo->accept_remote? 0: ipwo->hisaddr; + can_auth = have_chap_secret(remote_name, our_name, remote); + } - if (auth_required && !wo->neg_chap && !wo->neg_upap) { - fprintf(stderr, "\ -pppd: peer authentication required but no authentication files accessible\n"); + if (auth_required && !can_auth) { + option_error("peer authentication required but no suitable secret(s) found\n"); + if (remote_name[0] == 0) + option_error("for authenticating any peer to us (%s)\n", our_name); + else + option_error("for authenticating peer %s to us (%s)\n", + remote_name, our_name); exit(1); } + /* + * Check whether the user tried to override certain values + * set by root. + */ + if (!auth_required && auth_req_info.priv > 0) { + if (!default_device && devnam_info.priv == 0) { + option_error("can't override device name when noauth option used"); + exit(1); + } + if ((connector != NULL && connector_info.priv == 0) + || (disconnector != NULL && disconnector_info.priv == 0) + || (welcomer != NULL && welcomer_info.priv == 0)) { + option_error("can't override connect, disconnect or welcome"); + option_error("option values when noauth option used"); + exit(1); + } + } +} + +/* + * auth_reset - called when LCP is starting negotiations to recheck + * authentication options, i.e. whether we have appropriate secrets + * to use for authenticating ourselves and/or the peer. + */ +void +auth_reset(unit) + int unit; +{ + lcp_options *go = &lcp_gotoptions[unit]; + lcp_options *ao = &lcp_allowoptions[0]; + ipcp_options *ipwo = &ipcp_wantoptions[0]; + u_int32_t remote; + + ao->neg_upap = !refuse_pap && (passwd[0] != 0 || get_pap_passwd(NULL)); + ao->neg_chap = !refuse_chap + && have_chap_secret(user, remote_name, (u_int32_t)0); + + if (go->neg_upap && !uselogin && !have_pap_secret()) + go->neg_upap = 0; + if (go->neg_chap) { + remote = ipwo->accept_remote? 0: ipwo->hisaddr; + if (!have_chap_secret(remote_name, our_name, remote)) + go->neg_chap = 0; + } + } @@ -391,6 +611,8 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg, msglen) char *filename; FILE *f; struct wordlist *addrs; + u_int32_t remote; + ipcp_options *ipwo = &ipcp_wantoptions[unit]; char passwd[256], user[256]; char secret[MAXWORDLEN]; static int attempts = 0; @@ -405,9 +627,10 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg, msglen) len = MIN(userlen, sizeof(user) - 1); BCOPY(auser, user, len); user[len] = '\0'; + *msg = (char *) 0; /* - * Open the file of upap secrets and scan for a suitable secret + * Open the file of pap secrets and scan for a suitable secret * for authenticating this user. */ filename = _PATH_UPAPFILE; @@ -415,17 +638,17 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg, msglen) ret = UPAP_AUTHACK; f = fopen(filename, "r"); if (f == NULL) { - if (!uselogin) { - syslog(LOG_ERR, "Can't open upap password file %s: %m", filename); - ret = UPAP_AUTHNAK; - } + syslog(LOG_ERR, "Can't open PAP password file %s: %m", filename); + ret = UPAP_AUTHNAK; } else { check_access(f, filename); - if (scan_authfile(f, user, our_name, secret, &addrs, filename) < 0 + remote = ipwo->accept_remote? 0: ipwo->hisaddr; + if (scan_authfile(f, user, our_name, remote, + secret, &addrs, filename) < 0 || (secret[0] != 0 && (cryptpap || strcmp(passwd, secret) != 0) && strcmp(crypt(passwd, secret), secret) != 0)) { - syslog(LOG_WARNING, "upap authentication failure for %s", user); + syslog(LOG_WARNING, "PAP authentication failure for %s", user); ret = UPAP_AUTHNAK; } fclose(f); @@ -434,12 +657,13 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg, msglen) if (uselogin && ret == UPAP_AUTHACK) { ret = ppplogin(user, passwd, msg, msglen); if (ret == UPAP_AUTHNAK) { - syslog(LOG_WARNING, "upap login failure for %s", user); + syslog(LOG_WARNING, "PAP login failure for %s", user); } } if (ret == UPAP_AUTHNAK) { - *msg = "Login incorrect"; + if (*msg == (char *) 0) + *msg = "Login incorrect"; *msglen = strlen(*msg); /* * Frustrate passwd stealer programs. @@ -458,17 +682,18 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg, msglen) } else { attempts = 0; /* Reset count */ - *msg = "Login ok"; + if (*msg == (char *) 0) + *msg = "Login ok"; *msglen = strlen(*msg); - if (addresses[unit] != NULL) - free_wordlist(addresses[unit]); - addresses[unit] = addrs; + set_allowed_addrs(unit, addrs); } + BZERO(passwd, sizeof(passwd)); + BZERO(secret, sizeof(secret)); + return ret; } - /* * Check if an "entry" is in the file "fname" - used by ppplogin. * Taken from libexec/ftpd/ftpd.c @@ -501,6 +726,18 @@ checkfile(fname, name) return (found); } +/* + * This function is needed for PAM. However, it should not be called. + * If it is, return the error code. + */ + +#ifdef USE_PAM +static int pam_conv(int num_msg, const struct pam_message **msg, + struct pam_response **resp, void *appdata_ptr) +{ + return PAM_CONV_ERR; +} +#endif /* * ppplogin - Check the user name and password against the system @@ -513,6 +750,7 @@ checkfile(fname, name) * * UPAP_AUTHACK should only be returned *after* wtmp and utmp are updated. */ + static int ppplogin(user, passwd, msg, msglen) char *user; @@ -520,21 +758,65 @@ ppplogin(user, passwd, msg, msglen) char **msg; int *msglen; { - struct utmp utmp; + char *tty; + +#ifdef USE_PAM + struct pam_conv pam_conversation; + pam_handle_t *pamh; + int pam_error; + char *pass; + char *dev; +/* + * Fill the pam_conversion structure + */ + memset (&pam_conversation, '\0', sizeof (struct pam_conv)); + pam_conversation.conv = &pam_conv; + + pam_error = pam_start ("ppp", user, &pam_conversation, &pamh); + if (pam_error != PAM_SUCCESS) { + *msg = (char *) pam_strerror (pam_error); + return UPAP_AUTHNAK; + } +/* + * Define the fields for the credintial validation + */ + (void) pam_set_item (pamh, PAM_AUTHTOK, passwd); + (void) pam_set_item (pamh, PAM_TTY, devnam); +/* + * Validate the user + */ + pam_error = pam_authenticate (pamh, PAM_SILENT); + if (pam_error == PAM_SUCCESS) + pam_error = pam_acct_mgmt (pamh, PAM_SILENT); + + *msg = (char *) pam_strerror (pam_error); +/* + * Clean up the mess + */ + (void) pam_end (pamh, pam_error); + + if (pam_error != PAM_SUCCESS) + return UPAP_AUTHNAK; +/* + * Use the non-PAM methods directly + */ +#else /* #ifdef USE_PAM */ + struct passwd *pw; + struct utmp utmp; struct timeval tp; char *epasswd; - char *tty; #ifdef HAS_SHADOW struct spwd *spwd; struct spwd *getspnam(); + extern int isexpired (struct passwd *, struct spwd *); /* in libshadow.a */ #endif - if ((pw = getpwnam(user)) == NULL) { + pw = getpwnam(user); + if (pw == NULL) { return (UPAP_AUTHNAK); } - /* * Check that the user is not listed in /etc/ppp/ppp.deny * and that the user's shell is listed in /etc/ppp/ppp.shells @@ -554,15 +836,20 @@ ppplogin(user, passwd, msg, msglen) } #ifdef HAS_SHADOW - if ((spwd = getspnam(user)) == NULL) { - pw->pw_passwd = ""; - } else { + spwd = getspnam(user); + endspent(); + if (spwd) { + /* check the age of the password entry */ + if (isexpired(pw, spwd)) { + syslog(LOG_WARNING,"Expired password for %s",user); + return (UPAP_AUTHNAK); + } pw->pw_passwd = spwd->sp_pwdp; } #endif /* - * If there is a password, check it. + * If no passwd, don't let them login. */ if (pw->pw_passwd[0] != '\0') { @@ -587,6 +874,7 @@ ppplogin(user, passwd, msg, msglen) } } } /* if password */ +#endif /* #ifdef USE_PAM */ syslog(LOG_INFO, "user %s logged in", user); @@ -596,6 +884,7 @@ ppplogin(user, passwd, msg, msglen) if (strncmp(tty, "/dev/", 5) == 0) tty += 5; + logwtmp(tty, user, remote_name); /* Add wtmp login entry */ logged_in = TRUE; memset((void *)&utmp, 0, sizeof(utmp)); @@ -642,7 +931,7 @@ null_login(unit) char secret[MAXWORDLEN]; /* - * Open the file of upap secrets and scan for a suitable secret. + * Open the file of pap secrets and scan for a suitable secret. * We don't accept a wildcard client. */ filename = _PATH_UPAPFILE; @@ -652,14 +941,14 @@ null_login(unit) return 0; check_access(f, filename); - i = scan_authfile(f, "", our_name, secret, &addrs, filename); + i = scan_authfile(f, "", our_name, (u_int32_t)0, secret, &addrs, filename); ret = i >= 0 && (i & NONWILD_CLIENT) != 0 && secret[0] == 0; + BZERO(secret, sizeof(secret)); - if (ret) { - if (addresses[unit] != NULL) - free_wordlist(addresses[unit]); - addresses[unit] = addrs; - } + if (ret) + set_allowed_addrs(unit, addrs); + else + free_wordlist(addrs); fclose(f); return ret; @@ -667,12 +956,13 @@ null_login(unit) /* - * get_upap_passwd - get a password for authenticating ourselves with + * get_pap_passwd - get a password for authenticating ourselves with * our peer using PAP. Returns 1 on success, 0 if no suitable password * could be found. */ static int -get_upap_passwd() +get_pap_passwd(passwd) + char *passwd; { char *filename; FILE *f; @@ -685,31 +975,39 @@ get_upap_passwd() if (f == NULL) return 0; check_access(f, filename); - if (scan_authfile(f, user, remote_name, secret, NULL, filename) < 0) + if (scan_authfile(f, user, + remote_name[0]? remote_name: NULL, + (u_int32_t)0, secret, NULL, filename) < 0) return 0; - strncpy(passwd, secret, MAXSECRETLEN); - passwd[MAXSECRETLEN-1] = 0; + if (passwd != NULL) { + strncpy(passwd, secret, MAXSECRETLEN); + passwd[MAXSECRETLEN-1] = 0; + } + BZERO(secret, sizeof(secret)); return 1; } /* - * have_upap_secret - check whether we have a PAP file with any + * have_pap_secret - check whether we have a PAP file with any * secrets that we could possibly use for authenticating the peer. */ static int -have_upap_secret() +have_pap_secret() { FILE *f; int ret; char *filename; + ipcp_options *ipwo = &ipcp_wantoptions[0]; + u_int32_t remote; filename = _PATH_UPAPFILE; f = fopen(filename, "r"); if (f == NULL) return 0; - ret = scan_authfile(f, NULL, our_name, NULL, NULL, filename); + remote = ipwo->accept_remote? 0: ipwo->hisaddr; + ret = scan_authfile(f, NULL, our_name, remote, NULL, NULL, filename); fclose(f); if (ret < 0) return 0; @@ -725,9 +1023,10 @@ have_upap_secret() * know the identity yet. */ static int -have_chap_secret(client, server) +have_chap_secret(client, server, remote) char *client; char *server; + u_int32_t remote; { FILE *f; int ret; @@ -743,7 +1042,7 @@ have_chap_secret(client, server) else if (server[0] == 0) server = NULL; - ret = scan_authfile(f, client, server, NULL, NULL, filename); + ret = scan_authfile(f, client, server, remote, NULL, NULL, filename); fclose(f); if (ret < 0) return 0; @@ -783,16 +1082,14 @@ get_secret(unit, client, server, secret, secret_len, save_addrs) } check_access(f, filename); - ret = scan_authfile(f, client, server, secbuf, &addrs, filename); + ret = scan_authfile(f, client, server, (u_int32_t)0, + secbuf, &addrs, filename); fclose(f); if (ret < 0) return 0; - if (save_addrs) { - if (addresses[unit] != NULL) - free_wordlist(addresses[unit]); - addresses[unit] = addrs; - } + if (save_addrs) + set_allowed_addrs(unit, addrs); len = strlen(secbuf); if (len > MAXSECRETLEN) { @@ -800,32 +1097,47 @@ get_secret(unit, client, server, secret, secret_len, save_addrs) len = MAXSECRETLEN; } BCOPY(secbuf, secret, len); + BZERO(secbuf, sizeof(secbuf)); *secret_len = len; return 1; } - +/* + * set_allowed_addrs() - set the list of allowed addresses. + */ static void -auth_set_ip_addr(unit) +set_allowed_addrs(unit, addrs) int unit; -{ struct wordlist *addrs; +{ + if (addresses[unit] != NULL) + free_wordlist(addresses[unit]); + addresses[unit] = addrs; - if (non_wildclient && (addrs = addresses[unit]) != NULL) { - for (; addrs != NULL; addrs = addrs->next) { - /* - * Look for address overrides, and set them if we have any - */ - if (strchr(addrs->word, ':') != NULL) { - if (setipaddr(addrs->word)) - break; - } + /* + * If there's only one authorized address we might as well + * ask our peer for that one right away + */ + if (addrs != NULL && addrs->next == NULL) { + char *p = addrs->word; + struct ipcp_options *wo = &ipcp_wantoptions[unit]; + u_int32_t a; + struct hostent *hp; + + if (wo->hisaddr == 0 && *p != '!' && *p != '-' + && strchr(p, '/') == NULL) { + hp = gethostbyname(p); + if (hp != NULL && hp->h_addrtype == AF_INET) + a = *(u_int32_t *)hp->h_addr; + else + a = inet_addr(p); + if (a != (u_int32_t) -1) + wo->hisaddr = a; } } } - /* * auth_ip_addr - check whether the peer is authorized to use * a given IP address. Returns 1 if authorized, 0 otherwise. @@ -835,40 +1147,93 @@ auth_ip_addr(unit, addr) int unit; u_int32_t addr; { - int x, y; - u_int32_t a; - struct hostent *hp; + return ip_addr_check(addr, addresses[unit]); +} + +static int +ip_addr_check(addr, addrs) + u_int32_t addr; struct wordlist *addrs; +{ + u_int32_t a, mask, ah; + int accept; + char *ptr_word, *ptr_mask; + struct hostent *hp; + struct netent *np; /* don't allow loopback or multicast address */ if (bad_ip_adrs(addr)) return 0; - x = y = 0; - for (addrs = addresses[unit]; addrs != NULL; addrs = addrs->next, y++) { - /* "-" means no addresses authorized */ - if (strcmp(addrs->word, "-") == 0) + if (addrs == NULL) + return !auth_required; /* no addresses authorized */ + + for (; addrs != NULL; addrs = addrs->next) { + /* "-" means no addresses authorized, "*" means any address allowed */ + ptr_word = addrs->word; + if (strcmp(ptr_word, "-") == 0) break; - /* - * A colon in the string means that we wish to force a specific - * local:remote address, but we ignore these for now - */ - if (strchr(addrs->word, ':') != NULL) - x++; - else { - if ((a = inet_addr(addrs->word)) == -1) { - if ((hp = gethostbyname(addrs->word)) == NULL) { - syslog(LOG_WARNING, "unknown host %s in auth. address list", - addrs->word); - continue; - } else - a = *(u_int32_t *)hp->h_addr; + if (strcmp(ptr_word, "*") == 0) + return 1; + + accept = 1; + if (*ptr_word == '!') { + accept = 0; + ++ptr_word; + } + + mask = ~ (u_int32_t) 0; + ptr_mask = strchr (ptr_word, '/'); + if (ptr_mask != NULL) { + int bit_count; + + bit_count = (int) strtol (ptr_mask+1, (char **) 0, 10); + if (bit_count <= 0 || bit_count > 32) { + syslog (LOG_WARNING, + "invalid address length %s in auth. address list", + ptr_mask); + continue; + } + *ptr_mask = '\0'; + mask <<= 32 - bit_count; + } + + hp = gethostbyname(ptr_word); + if (hp != NULL && hp->h_addrtype == AF_INET) { + a = *(u_int32_t *)hp->h_addr; + } else { + np = getnetbyname (ptr_word); + if (np != NULL && np->n_addrtype == AF_INET) { + a = htonl (*(u_int32_t *)np->n_net); + if (ptr_mask == NULL) { + /* calculate appropriate mask for net */ + ah = ntohl(a); + if (IN_CLASSA(ah)) + mask = IN_CLASSA_NET; + else if (IN_CLASSB(ah)) + mask = IN_CLASSB_NET; + else if (IN_CLASSC(ah)) + mask = IN_CLASSC_NET; + } + } else { + a = inet_addr (ptr_word); } - if (addr == a) - return 1; } + + if (ptr_mask != NULL) + *ptr_mask = '/'; + + if (a == (u_int32_t)-1L) + syslog (LOG_WARNING, + "unknown host %s in auth. address list", + addrs->word); + else + /* Here a and addr are in network byte order, + and mask is in host order. */ + if (((addr ^ a) & htonl(mask)) == 0) + return accept; } - return x == y; /* not in list => can't have it */ + return 0; /* not in list => can't have it */ } /* @@ -913,10 +1278,11 @@ check_access(f, filename) * info) are placed in a wordlist and returned in *addrs. */ static int -scan_authfile(f, client, server, secret, addrs, filename) +scan_authfile(f, client, server, ipaddr, secret, addrs, filename) FILE *f; char *client; char *server; + u_int32_t ipaddr; char *secret; struct wordlist **addrs; char *filename; @@ -924,9 +1290,10 @@ scan_authfile(f, client, server, secret, addrs, filename) int newline, xxx; int got_flag, best_flag; FILE *sf; - struct wordlist *ap, *addr_list, *addr_last; + struct wordlist *ap, *addr_list, *alist, *alast; char word[MAXWORDLEN]; char atfile[MAXWORDLEN]; + char lsecret[MAXWORDLEN]; if (addrs != NULL) *addrs = NULL; @@ -1002,16 +1369,12 @@ scan_authfile(f, client, server, secret, addrs, filename) fclose(sf); } if (secret != NULL) - strcpy(secret, word); - - best_flag = got_flag; + strcpy(lsecret, word); /* * Now read address authorization info and make a wordlist. */ - if (addr_list) - free_wordlist(addr_list); - addr_list = addr_last = NULL; + alist = alast = NULL; for (;;) { if (!getword(f, word, &newline, filename) || newline) break; @@ -1021,12 +1384,31 @@ scan_authfile(f, client, server, secret, addrs, filename) novm("authorized addresses"); ap->next = NULL; strcpy(ap->word, word); - if (addr_list == NULL) - addr_list = ap; + if (alist == NULL) + alist = ap; else - addr_last->next = ap; - addr_last = ap; + alast->next = ap; + alast = ap; + } + + /* + * Check if the given IP address is allowed by the wordlist. + */ + if (ipaddr != 0 && !ip_addr_check(ipaddr, alist)) { + free_wordlist(alist); + continue; } + + /* + * This is the best so far; remember it. + */ + best_flag = got_flag; + if (addr_list) + free_wordlist(addr_list); + addr_list = alist; + if (secret != NULL) + strcpy(secret, lsecret); + if (!newline) break; } @@ -1036,7 +1418,6 @@ scan_authfile(f, client, server, secret, addrs, filename) else if (addr_list != NULL) free_wordlist(addr_list); - non_wildclient = (best_flag & NONWILD_CLIENT) && client && *client != '\0'; return best_flag; } @@ -1055,3 +1436,36 @@ free_wordlist(wp) wp = next; } } + +/* + * auth_script - execute a script with arguments + * interface-name peer-name real-user tty speed + */ +static void +auth_script(script) + char *script; +{ + char strspeed[32]; + struct passwd *pw; + char struid[32]; + char *user_name; + char *argv[8]; + + if ((pw = getpwuid(getuid())) != NULL && pw->pw_name != NULL) + user_name = pw->pw_name; + else { + sprintf(struid, "%d", getuid()); + user_name = struid; + } + sprintf(strspeed, "%d", baud_rate); + + argv[0] = script; + argv[1] = ifname; + argv[2] = peer_authname; + argv[3] = user_name; + argv[4] = devnam; + argv[5] = strspeed; + argv[6] = NULL; + + run_program(script, argv, 0); +} |
